Suppose that we have a process that generates passwords with entropy E . I\'d li
ID: 659932 • Letter: S
Question
Suppose that we have a process that generates passwords with entropy E.
I'd like to compute the average time it would take for a brute-force attack to crack an MD5-hashed instance of such a password.
From the entropy E (in bits), I can compute the total number N = 2E of candidate passwords in the universe from which a given password was chosen. On average, a brute-force attack would have to MD5-hash N/2 candidate passwords in order to crack a specific instance.
But this calculation does not give me the amount of time that this would take. For this I need some multiplier for computational performance, something of the form "x candidate passwords/second".
I imagine that computer security experts have some rule-of-thumb number to plug in for such multiplier x. If so, what is it?
(Of course, if the multiplier x does not take into account the possibility of multiple processors working in parallel, then whatever time one computes using such a multiplier would have to be divided by the number P of processors that the attacker can have running in parallel. If there's a standard rule-of-thumb-like value for P, I'd be interested in that too.)
Explanation / Answer
The term you're looking for is "hash rate", and a quick Google search indicates that a GPU-based password cracker can try on the order of 10^10 passwords per second when cracking MD5 hashes.
Generating hashes is an example of an "embarrassingly parallel" process, so doubling the available computing resources will double your hash rate.